Home/Threat Actor/Grandoreiro
Threat Actor

Grandoreiro

grandoreiro · latin_america_brazilian_organized_cybercrime · active since 2016

Grandoreiro (canonical industry naming.

Portuguese for "great thief", origin meaning of Brazilian-origin malware family.

ESET-introduced NewGrandoreiro naming for post-disruption active fork active since at least December 2023 per ESET May 28, 2024 X disclosure) is the most well-known Latin American banking trojan , Brazilian-origin organized cybercrime malware active since at least 2016 per Kaspersky tracking, operating with Malware-as-a-Service (MaaS) model targeting 1,700+ banks across 45+ countries in 2024 per Kaspersky Securelist (expansion from 900 banks in 40 countries in 2023) plus 276 cryptocurrency wallets.

first Latin American-origin cluster in the entire corpus, addresses geographic-origin diversity gap given prior Latin-America-targeting clusters all originate from Russia/China/DPRK/English- speaking youth.

standalone malware platform cluster paralleling guildma_astaroth + mekotio in Latin American banking trojan operators cell.

Brazilian- origin organized cybercrime attribution via INTERPOL canonical January 2024 multi-agency disruption operation (Brazilian Federal Police + Spanish National Police + ESET + Caixa Bank + Kaspersky + Trend Micro + Group-IB + Scitum coordinated, 5 arrests + 13 search-and-seizure actions across 5 Brazilian states per INTERPOL Craig Jones Director + Brazilian authorities) with additional Spanish Civil Guard July 2021 arrest of 16 distribution-network individuals (~€300,000 stolen + €3.5M attempted transfer blocked per ESET "Dirty Dozen of Latin America" December 2021 retrospective)

financial impact $120M+ losses per CaixaBank/Bleeping Computer + €110M+ attempted fraud per INTERPOL + €3.5M confirmed fraud.

Kaspersky 2020-2022 telemetry recorded 150,000+ attacks on 40,000+ users worldwide (most affected: Brazil + Spain + Mexico + Portugal + Argentina + USA)

operational target profile expanded post-January 2024 disruption per IBM X-Force March 2024 tracking to Central + South America + Africa + Europe + Indo-Pacific (60+ countries including English-speaking targets, Mexico SAT + Argentina Revenue Service + South African Revenue Service); operational attack architecture: (1) Spanish/ Portuguese/English spearphishing emails impersonating courts + telecom + energy companies + Mexican CFDI tax invoices.

(2) inflated 100MB+ ZIP archive loader with PDF icon disguise (anti-malware bypass tradecraft); (3) sandbox + AV detection + country geolocation verification with avoidance for Russia + Czechia + Netherlands + Poland + Windows 7 US no AV.

(4) cluster-defining DGA with multiple seeds separating C2 communications from operator tasks per IBM X-Force.

(5) registry Run keys persistence (HKCU + HKLM Software\Microsoft\Windows\CurrentVersion\Run); (6) cluster-defining banking credential theft via fake banking login pop-up overlay + keylogging + mouse simulation + screen sharing + 2FA OTP capture via overlay pop-up (operator blocks victim screen, displays fake login + 2FA prompts)

(7) crypto wallet clipboard replacer monitoring + threat actor key replacement.

(8) signature Microsoft Outlook abuse via Outlook Security Manager add-in tool for security alert disable + spam emails sent from victim's Outlook account to new targets.

(9) signature mouse-pattern recording ML-bypass tradecraft (July 2024+ versions) recording victim's average mouse speed for 5 seconds to bypass machine- learning-based security systems per Kaspersky Securelist (specific Portuguese strings GRAVAR_POR_5S_ VELOCIDADE_MOUSE_CLIENTE_MEDIA + Medição iniciada, aguarde 5 segundos)

enhanced obfuscation via multi- layer AES CBC + custom decoder string decryption (departing from commonly shared algorithms); MaaS operational model with rental to other cybercriminals + money mule network funds laundering back to Brazil.

close operator relations to Mekotio per ESET January 2024 disruption investigation analysis (cluster-cell coherence with Mekotio cluster, police linked one arrested suspect to Mekotio)

Delphi programming language origin signature typical Latin American banking trojan; cluster placement: Kaspersky 2020 canonical "Tetrade" framework member alongside Guildma + Javali + Melcoz; post-disruption global expansion + NewGrandoreiro pre-disruption fork active since December 2023 per ESET indicates either separate operator team or developer team split survived January 2024 arrests; Kaspersky cooperation with INTERPOL canonical multi-vendor coordination demonstrated industry + law enforcement collaborative capability.

cluster fills the most-globally-expansive Latin American banking trojan position in LATAM banking trojan operators cell + the first Latin American-origin cluster in the corpus.

canonical illustration of MaaS-model Latin American banking trojan + INTERPOL multi-agency disruption case study cited in essentially all subsequent Latin American banking trojan + Brazilian cybercrime + MaaS operator industry analyses through 2016-2026 period.

latin_america_brazilian_organized_cybercrime confidence: high 12 aliases
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Profile

Grandoreiro (Portuguese for "great thief".

canonical industry naming + ESET-introduced NewGrandoreiro naming for post-disruption active fork active since at least December 2023) is the most well-known Latin American banking trojan, Brazilian-origin malware active since at least 2016, operating with Malware- as-a-Service (MaaS) model targeting 1,700+ banks across 45+ countries in 2024 per Kaspersky. Brazilian-origin organized cybercrime attribution via INTERPOL canonical January 2024 disruption operation (Brazilian Federal Police + Spanish National Police + ESET + Caixa Bank + Kaspersky + Trend Micro + Group-IB + Scitum coordinated, 5 arrests + 13 search-and- seizure actions across 5 Brazilian states) with additional Spanish Civil Guard July 2021 arrest of 16 distribution-network individuals. Standalone malware platform cluster paralleling guildma_astaroth + mekotio in the Latin American banking trojan operators cell. The first Latin American-origin cluster in the entire corpus, addresses geographic-origin diversity gap given prior Latin-America-targeting clusters all originate from Russia/China/DPRK/English-speaking youth.

Operational target profile
  • 1,700+ banks in 45+ countries (2024 per Kaspersky) + 276 crypto wallets targeted.
  • Brazil + Mexico + Spain + Portugal + Argentina + Peru + Chile + Colombia primary historical Latin American + Iberian targets.
  • United States + South Africa + Africa broadly + Europe broadly + Indo-Pacific post-disruption global expansion 2024.
  • Country avoidance: Russia + Czechia + Netherlands + Poland + Windows 7 US no AV per IBM X-Force.
  • Financial impact: $120M+ losses per CaixaBank / Bleeping Computer; €110M+ attempted fraud per INTERPOL; €3.5M confirmed fraud Operational attack architecture: (1) Spearphishing initial infection (cluster- defining): Spanish/Portuguese/English-written emails impersonating courts + telecom + energy companies + Mexican CFDI tax + electronic invoices (2) Inflated ZIP archive with PDF icon disguise: Custom loader artificially inflated to 100MB+ to bypass anti-malware scanning (3) Sandbox + AV detection + country geolocation verification: skip systems geolocated to Russia + Czechia + Poland + Netherlands + Windows 7 US no AV (4) DGA with multiple seeds (cluster-defining): multiple seeds separating C2 communications from operator tasks per IBM X-Force (5) Registry Run keys persistence (signature): HKCU + HKLM Software\Microsoft\Windows\CurrentVersion\ Run new persistence mechanism per IBM X-Force (6) Banking credential theft (cluster-defining): fake banking login pop-up overlay + keylogging + mouse simulation + screen sharing + 2FA OTP capture via overlay pop-up (7) Crypto wallet clipboard replacer (signature): monitor clipboard for crypto wallet keys + replace with threat actor keys (8) Microsoft Outlook abuse (signature): Outlook Security Manager add-in tool abuse for security alert disable + spam emails sent from victim's Outlook to new targets (9) Mouse-pattern recording ML-bypass tradecraft (signature, July 2024+): record victim's average mouse speed for 5 seconds to bypass machine-learning- based security systems Signature operational tradecraft:.
  • Brazilian-origin Latin American banking trojan ecosystem origin (first in corpus).
  • MaaS operational model: rental to other cybercriminals per IBM X-Force + Kaspersky.
  • Money mule network funds laundering back to Brazil: signature money flow pattern.
  • Most-globally-expansive Latin American banking trojan: 1,700 banks + 45 countries per Kaspersky 2024.
  • Sophisticated evasion: country avoidance + mouse-pattern recording + multi-layer AES CBC + custom decoder string decryption + DGA multi-seed.
  • Tetrade family per Kaspersky 2020 framework (Guildma + Javali + Melcoz + Grandoreiro)
  • Close operator relations to Mekotio per ESET January 2024 disruption investigation: cluster- cell coherence with Mekotio cluster.
  • Delphi programming language origin (signature typical Latin American banking trojan).
  • NewGrandoreiro fork active since December 2023: pre-disruption fork suggesting separate development branch The cluster fills the most-globally-expansive Latin American banking trojan position in the LATAM banking trojan operators cell + the first Latin American-origin cluster in the entire corpus.

Aliases

12
grandoreirogrande ladraograndoreiro_banking_trojangrandoreiro_malwarenewgrandoreironew grandoreirograndoreiro brazilian banking trojangrandoreiro latam banking trojangrandoreiro maas malware as a servicegrandoreiro 1700 banks 45 countriesgrandoreiro interpol disruption january 2024grandoreiro outlook spam mechanism

Notable Campaigns

11
2024INTERPOL + Brazilian Federal Police January 2024 Disruption Operation
2024Grandoreiro Global Return, IBM X-Force March 2024 Tracking
2024ESET NewGrandoreiro Fork Disclosure (May 28, 2024)
2024Kaspersky Grandoreiro Recent Versions Tracking, 1,700 Banks 45 Countries (2024)
2021Spanish Civil Guard Arrests Linked to Grandoreiro Distribution (July 2021)
2021Grandoreiro Largest Spain Campaign (August-September 2021)
2020-2023INTERPOL Brazil + Spain Coordinated Investigation (2020-2023)
2020-2022Kaspersky 2020-2022 Telemetry, 150,000+ Attacks on 40,000+ Users
2020Kaspersky Tetrade Framework Classification (2020)
2016-2026Continued Industry Reference Status (2016-2026)
2016-2017Grandoreiro Origin + Spanish-Speaking Country Initial Targeting (2016-2017)

Attribution & Reporting

Attributed by
INTERPOL Cybercrime unit (canonical 2020-2024 disruption operation coordination, Craig Jones Director)Brazilian Federal Police (canonical January 2024 arrests + October 2024 follow-up)Spanish National Police (canonical July 2021 + January 2024 + October 2024 disruption operations)ESET WeLiveSecurity (canonical Latin American banking trojan tracking, Robert Lipovsky + Jakub Souček)ESET (canonical May 28, 2024 NewGrandoreiro fork identification)Kaspersky GReAT (canonical Tetrade framework + 2024 banking trojan resurfacing analysis, Fabio Assolini)Kaspersky Securelist (canonical Grandoreiro recent versions tracking)Trend Micro (canonical INTERPOL operation contributor, Joseph C. Chen + Trend Micro Research)Group-IB (canonical INTERPOL operation contributor)Scitum (Mexico-based, canonical INTERPOL operation contributor)IBM X-Force (canonical March 2024 global return tracking, large-scale phishing analysis)Caixa Bank Spain (canonical financial impact assessment, €110M+ attempted)Bleeping Computer (canonical industry reporting)SC Media (canonical disruption coverage)Cyber Magazine (canonical global return coverage)The Hacker News (canonical NewGrandoreiro fork analysis)SecurityWeek (canonical Tetrade reporting)MITRE ATT&CK Software S1112 (Grandoreiro)Malpedia Software Profile (Grandoreiro)
Key reporting
reportINTERPOL Cybercrime unit (Craig Jones Director): Disrupting a Grandoreiro malware operation (2024), canonical multi-agency coordination disclosure
reportESET WeLiveSecurity (Robert Lipovsky + Jakub Souček + Souček ETeC 2024): canonical Latin American banking trojan tracking
reportESET (May 28, 2024): NewGrandoreiro fork disclosure via X (Twitter) thread
reportKaspersky GReAT (Fabio Assolini): canonical Tetrade framework + 2024 recent versions analysis
reportKaspersky Securelist: Grandoreiro banking trojan, overview of recent versions and new tricks (2024)
reportKaspersky USA Press Release: Kaspersky supports INTERPOL-coordinated action to disrupt Grandoreiro malware operation (March 18, 2024)
reportTrend Micro Research: canonical INTERPOL operation contributor
reportGroup-IB: canonical INTERPOL operation contributor
reportScitum (Mexico): canonical INTERPOL operation contributor
reportIBM X-Force: canonical March 2024 global return tracking, Grandoreiro Banking Trojan Resurfaces analysis
reportCaixa Bank (Spain): canonical financial impact assessment, €110M+ attempted fraud
reportBleeping Computer: Banking malware Grandoreiro returns after police disruption (May 2024)
reportThe Hacker News: Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide (May 2024)
reportCyber Magazine: Banks beware, IBM Study Shows Grandoreiro Trojan is Back (May 2024)
reportSC Media: Grandoreiro trojan operation dismantled (January 2024)
reportSecurityWeek: Tetrade Brazilian Banking Trojans Go International (2020)
reportMITRE ATT&CK Software S1112: Grandoreiro
reportMalpedia Software Profile: Grandoreiro

Operational

State sponsor

Brazilian-origin organized cybercrime, Latin American banking trojan operator group operating with Malware-as-a-Service (MaaS) model. Operationally separate from state-sponsored APT activity. Attribution chain: (1) INTERPOL canonical attribution via Cybercrime unit coordinated investigation 2020-2023: per INTERPOL: "Between 2020 and 2022, as part of independent national cybercrime investigations, Brazil and Spain collected Grandoreiro malware samples.

When they both turned to INTERPOL for support in analysing the material, INTERPOL's Cybercrime unit took on a coordinating role, launching an operation and calling on partners Trend Micro, Kaspersky, Group-IB and Scitum. By August 2023, analytical reports had identified matches between samples, allowing investigators to close in on the organized crime group." (2) Brazilian Federal Police canonical January 2024 disruption operation: 5 arrests + 13 search- and-seizure actions across 5 Brazilian states per INTERPOL + ESET + Kaspersky. Per ESET ETeC 2024: "In a joint effort between ESET, Interpol, Europol, and the Federal Police of Brazil, several arrests were made in January 2024 concerning the Grandoreiro campaign in Brazil, causing a serious blow to the botnet's operation." (3) Caixa Bank canonical disclosure assessment: per INTERPOL: "the organization behind the malware is thought to have defrauded victims of more than EUR 3.5 million, however, according to CaixaBank several failed attempts could have yielded more than EUR 110 million." Per Bleeping Computer summary: "the malware operation... had been targeting Spanish- speaking countries since 2017 and caused $120 million in losses." (4) Kaspersky cooperation + canonical Securelist coverage: per Kaspersky: "Kaspersky announced that it has assisted an INTERPOL-coordinated action, which has led to Brazilian authorities arresting five administrators behind a Grandoreiro banking trojan operation." Kaspersky tracked Grandoreiro from at least 2016, identified MaaS model + DGA + 150,000+ detection of attacks on 40,000+ users worldwide 2020-2022, mostly Brazil + Spain + Mexico + Portugal + Argentina + USA.

(5) IBM X-Force March 2024 canonical global return tracking: per IBM X-Force + The Hacker News + Cyber Magazine: post-disruption "Grandoreiro appears to have returned to large-scale operations since March 2024, likely rented to cybercriminals via a Malware- as-a-Service (MaaS) model, and now targeting English- speaking countries too." Targets expanded to 1,500- 1,700 banks across 60-65 countries in Central + South America + Africa + Europe + Indo-Pacific. (6) ESET May 28, 2024 "NewGrandoreiro" fork identification: per ESET via The Hacker News: "disrupted Grandoreiro is different from the currently active Grandoreiro strain, giving it the moniker NewGrandoreiro." Active since at least December 2023 (pre-disruption), uncertain if same operators. Major rewrite with custom downloader + reworked DGA + modified codebase.

Operational mission objective: Banking credential theft + cryptocurrency wallet theft + remote command + control for direct bank account access + fraudulent transfer through money mule networks back to Brazil. Per INTERPOL: "Once in, the malware tracks keyboard inputs, simulates mouse activity, shares screens, and displays deceptive pop-ups, collecting data such as usernames, operating system information, device runtime and most importantly, bank identifiers. With full control over victims' bank accounts, criminals empty them, sending funds through a money mule network to launder the illicit proceeds before transferring the funds to Brazil." The cluster fills the most-globally-expansive position in Latin American banking trojan operators cell + the first Latin American-origin cluster in the entire corpus.

Motivations
banking_credential_theft_direct_account_drainage, latin_american_financial_institutions_disruption_capability, global_expansion_post_disruption_capability_demonstration, maas_model_revenue_distribution_to_other_cybercriminals, cryptocurrency_wallet_theft_expansion, microsoft_outlook_client_abuse_for_spam_propagation, sophisticated_evasion_via_dga_country_avoidance_mouse_pattern_recording, money_mule_network_funds_laundering_to_brazil
Sectors
banking_financial_institutionscryptocurrency_wallet_userstax_administration_serviceselectronic_invoicing_systemscourts_and_telecom_companiesenergy_companies
Regions
brazilspainmexicoportugalargentinaperuchilecolombiaunited_statessouth_africaafrica_broadlyeurope_broadlyindo_pacific60_plus_countries_targeted_2024russiaczechianetherlandspoland

Techniques Used

60
T1003T1003.001T1005T1010T1014T1016T1018T1020T1027T1027.002T1027.005T1027.007T1027.013T1029T1033T1036T1036.001T1036.005T1036.008T1037T1037.001T1039T1041T1053T1053.005T1056T1056.001T1056.002T1056.003T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1078T1082T1083T1087T1090T1090.001T1090.002T1095T1102T1102.001T1102.002T1106T1110T1113T1114T1114.001T1115T1119T1129

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)53/60 · 88%
Analytics (MITRE CAR)25/60 · 41%
Runtime / container (Falco)5/60 · 8%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MALWARE AS A SERVICE MAAS MODEL RENTAL TO CYBERCRIMINALSMEKOTIO CLOSE OPERATOR RELATIONS PER ESET JANUARY 2024 DISRUPTIONMICROSOFT AZURE CLOUD ABUSEMONEY MULE NETWORK FUNDS LAUNDERING BACK TO BRAZILMOUSE PATTERN SPEED RECORDING ML SECURITY BYPASSSANDBOX AV ANALYSIS TOOL DETECTION OLYDBG WINDBG PROCESS HACKER WIRESHARKSCREEN SHARING OPERATOR REMOTE DESKTOP CONTROLSUBSTITUTION CIPHER OBFUSCATION
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKMITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin